How To Protect Our Php script From LFI (local file include)
Hello everybody,
Today We Will Learn How To Protect Our Php script From LFI (local file include)
Lets test ./
<?
include($_GET["file"].".php");
?>
Ops Error Ok
The attacker can exploit this error to show config file or other files
first we will add that @ before include func ./
<?
@include($_GET["file"].".php");
?>
Now we can see no error but the code will be executed
because when we use @ operator in php expression any error messages
that might be generated by that expression will be ignored./
what is the solution now ??
The solution is to use an function to replace the bad requisites
<?
function LFI($get)
{
$bad=array("%","","../","/","../..","base64","<",">","php://");
$get=str_ireplace($bad,'',$get);
return $get;
}
@include(LFI($_GET["file"]).".php");
?>
the job is done our php code is safe 100%
0 commentaires:
Post a Comment